Grafana Public Dashboard Query DoS via Unbounded JSON Size
CVE-2026-42127 Published on June 22, 2026

Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Vendor Advisory NVD

Weakness Type

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.


Products Associated with CVE-2026-42127

Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.

 

Affected Versions

Grafana Enterprise: Grafana OSS: